Bug 141669 - ldconfig: denials during yum upgrade
ldconfig: denials during yum upgrade
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-12-02 15:16 EST by Ivan Gyurdiev
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-12-28 21:15:36 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ivan Gyurdiev 2004-12-02 15:16:00 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041114 Firefox/1.0

Description of problem:
The general pattern goes like this:

Dec  1 11:18:33 cobra kernel: audit(1101917913.660:0): avc:  denied  {
read } for  pid=24828 exe=/sbin/ldconfig
path=/var/cache/yum/development/packages/libglade-java-2.8.2-1.i386.rpm
dev=dm-0 ino=179876 scontext=root:system_r:ldconfig_t
tcontext=root:object_r:var_t tclass=file

Dec  1 11:19:41 cobra kernel: audit(1101917981.451:0): avc:  denied  {
read write } for  pid=24838 exe=/sbin/ldconfig path=socket:[56845]
dev=sockfs ino=56845 scontext=root:system_r:ldconfig_t
tcontext=root:system_r:unconfined_t tclass=tcp_socket

Dec  1 11:19:41 cobra kernel: audit(1101917981.451:0): avc:  denied  {
read write } for  pid=24838 exe=/sbin/ldconfig path=socket:[56854]
dev=sockfs ino=56854 scontext=root:system_r:ldconfig_t
tcontext=root:system_r:unconfined_t tclass=tcp_socket

Dec  1 11:19:41 cobra kernel: audit(1101917981.451:0): avc:  denied  {
read write } for  pid=24838 exe=/sbin/ldconfig path=socket:[56863]
dev=sockfs ino=56863 scontext=root:system_r:ldconfig_t
tcontext=root:system_r:unconfined_t tclass=tcp_socket

...etc

repeat for every other package being installed.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.19.8-4

How reproducible:
Didn't try

Steps to Reproduce:

    

Additional info:
Comment 1 Daniel Walsh 2004-12-02 16:11:46 EST
I have no idea what is causing this????

I am seeing not seeing this here.

I can add a rule 

dontaudit ldconfig_t unconfined_t:tcp_socket { read write };

Looks like a filedescriptor from rpm is being leaked.
Comment 2 Ivan Gyurdiev 2004-12-02 18:26:36 EST
Okay I can't reproduce this either - I tried, but everything works as
it should.

To provide more detail, however..
the pattern above should actually be:
              read/write denied on socket...
              read/write denied on socket...
              read denied on cached rpm

Also, I created a summary of the packages that triggered denials 
from /var/log/messages, and here it is:

[root@cobra log]# grep rpm messages|sed -e
s/"cobra".*"packages\/"//|sed -e s/"dev=".*//
Dec  1 11:16:14 libselinux-1.19.2-1.i386.rpm
Dec  1 11:16:36 alsa-lib-1.0.6-6.i386.rpm
Dec  1 11:18:33 libglade-java-2.8.2-1.i386.rpm
Dec  1 11:19:41 libgnome-java-2.8.2-1.i386.rpm
Dec  1 11:20:21 libgtk-java-2.4.6-1.i386.rpm
Dec  1 11:20:40 libgconf-java-2.8.2-1.i386.rpm
Dec  1 11:20:49 xorg-x11-libs-6.8.1-21.i386.rpm
Dec  1 11:20:50 xorg-x11-Mesa-libGL-6.8.1-21.i386.rpm
Dec  1 11:21:20 xorg-x11-Mesa-libGLU-6.8.1-21.i386.rpm
Dec  1 11:21:46 xorg-x11-deprecated-libs-6.8.1-21.i386.rpm
Dec  1 11:21:48 Xaw3d-1.5E-1.i386.rpm
Dec  2 14:20:00 expat-1.95.8-4.i386.rpm
Dec  2 14:20:30 isdn4k-utils-3.2-21.i386.rpm
Dec  2 14:23:34 boost-1.32.0-2.i386.rpm
Dec  2 14:23:51 gtksourceview-1.1.0-4.fc3.i386.rpm
Dec  2 14:24:29 procps-3.2.4-1.i386.rpm
Dec  2 14:25:02 xorg-x11-libs-6.8.1-22.i386.rpm
Dec  2 14:25:03 xorg-x11-Mesa-libGL-6.8.1-22.i386.rpm
Dec  2 14:25:08 qt-3.3.3-16.i386.rpm
Dec  2 14:25:09 xorg-x11-Mesa-libGLU-6.8.1-22.i386.rpm
Dec  2 14:25:47 evolution-2.0.2-6.i386.rpm
Dec  2 14:26:52 xorg-x11-deprecated-libs-6.8.1-22.i386.rpm
Dec  2 14:27:24 gdm-2.6.0.5-9.i386.rpm
[root@cobra log]#

Will close bug if I see no more problems in the future.




Comment 3 Ivan Gyurdiev 2004-12-03 18:03:35 EST
Closing for now....
Comment 4 Ivan Gyurdiev 2004-12-04 16:18:10 EST
..and reopening since the problem isn't going away:

Dec  4 15:41:58 glibc-2.3.3-87.i686.rpm
Dec  4 15:43:12 cups-libs-1.1.22-4.i386.rpm
Dec  4 15:43:15 libselinux-1.19.3-1.i386.rpm
Dec  4 15:43:33 ghostscript-7.07-35.i386.rpm
Dec  4 15:44:59 evolution-data-server-1.0.2-5.i386.rpm
Dec  4 15:46:47 glibc-utils-2.3.3-87.i386.rpm
Comment 5 Ivan Gyurdiev 2004-12-06 14:03:04 EST
In all three cases there's a policy load:

   On Dec 1 after alsa-lib denials,
   On Dec 2 after isdn4k-utils denials,
   On Dec 4 after glibc-utils denials,

Dec  4 15:47:04 cobra kernel: audit(1102193224.728:0): avc:  granted 
{ load_policy } for  pid=31728 exe=/usr/sbin/load_policy
scontext=root:system_r:unconfined_t
tcontext=system_u:object_r:security_t tclass=security
Comment 6 Daniel Walsh 2004-12-17 16:30:19 EST
Fixed in selinux-policy-targeted-1.19.14-3
Comment 7 Ivan Gyurdiev 2004-12-22 22:49:14 EST
Will wait to confirm - I wasn't able to work
on my computer until today (Dec 22), and I was still seeing this 
denial in today's upgrade. I am now completely relabeling the
system with the 1.19.15 policy, and will close the bug if
future upgrades do not trigger it.


Comment 8 Ivan Gyurdiev 2004-12-23 17:24:03 EST
New denial, with the 1.19.15-4(?) policy.

Dec 23 12:45:12 cobra kernel: audit(1103823912.171:0): avc:  denied  {
search } for  pid=9533 exe=/sbin/ldconfig name=var dev=dm-0
ino=1168129 scontext=root:system_r:ldconfig_t
tcontext=system_u:object_r:var_t tclass=dir

during this upgrade:

Dependencies Resolved
Transaction Listing:
  Install: kernel.i686 0:2.6.9-1.1049_FC4
  Update: gnumeric.i386 1:1.4.1-5
  Update: guile.i386 5:1.6.4-16
  Update: kernel-doc.noarch 0:2.6.9-1.1049_FC4
  Update: libtiff.i386 0:3.7.1-2
  Update: libtiff-devel.i386 0:3.7.1-2
  Update: lvm2.i386 0:2.00.32-1.0
  Update: mikmod.i386 0:3.1.6-33
  Update: nc.i386 0:1.10-24
  Update: rpmdb-fedora.i386 1:4-0.20041223
  Update: selinux-policy-targeted.noarch 0:1.19.15-5
  Update: xpdf.i386 1:3.00-14

Here's the neighboring log context:

Dec 23 12:45:12 cobra kernel: audit(1103823912.171:0): avc:  denied  {
search } for  pid=9533 exe=/sbin/ldconfig name=var dev=dm-0
ino=1168129 scontext=root:system_r:ldconfig_t
tcontext=system_u:object_r:var_t tclass=dir
Dec 23 12:45:13 cobra kernel: audit(1103823913.031:0): avc:  granted 
{ load_policy } for  pid=9539 exe=/usr/sbin/load_policy
scontext=root:system_r:unconfined_t
tcontext=system_u:object_r:security_t tclass=security
Dec 23 12:45:13 cobra kernel: security:  3 users, 4 roles, 520 types,
49 bools
Dec 23 12:45:13 cobra kernel: security:  54 classes, 33434 rules
Dec 23 12:45:13 cobra dbus: avc:  received policyload notice (seqno=1)
Dec 23 12:45:13 cobra dbus: avc:  3 AV entries and 3/512 buckets used,
longest chain length 1
Dec 23 12:45:13 cobra dbus: avc:  received policyload notice (seqno=1)
Dec 23 12:45:13 cobra dbus: avc:  1 AV entries and 1/512 buckets used,
longest chain lengt
Comment 9 Ivan Gyurdiev 2004-12-28 21:15:36 EST
Closing this for now...  the original bug should be fixed.
I have bigger problems with SElinux.





Note You need to log in before you can comment on or make changes to this bug.